diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod index 9533155c8..1d7f714d3 100644 --- a/parser/apparmor.d.pod +++ b/parser/apparmor.d.pod @@ -1802,8 +1802,29 @@ site-specific customization of B<@{HOMEDIRS}>, F for B<@{multiarch}> and F for B<@{XDG_*}>. -The special B<@{profile_name}> variable is set to the profile name and may be -used in all policy. +=head3 Special builtin variables + +AppArmor has some builtin variables that are not declared in policy +but are available to be used in policy. + + @{profile_name} - the profile name + @{attach_path} - the profile exec attachment path - if one has been defined + @{exec_path} - the executables path + + +The B<@{profile_name}> variable is set to the profile name and may be +used in all policy. It is only defined when used inside of a profile. + +The B<@{attach_path}> variable is only defined if the profile will attach +to an executable. It will be the path attachment specification or +if that is not defined it may be the profile's name if the profile name +is a path. + +The B<@{exec_path}> variable like B<@{attach_path}> is only defined if +the profile attaches to an executable. If the kernel supports it as a +kernel variable, it will be set to the specific path that matches the +executable at run time. If the kernel does not support kernel variables +it will have the same value as B<@{attach_path}>. =head3 Notes on variable expansion and the / character diff --git a/parser/parser.h b/parser/parser.h index 005bbe580..df056aa5d 100644 --- a/parser/parser.h +++ b/parser/parser.h @@ -294,9 +294,10 @@ do { \ version; \ }) -/* The parser fills this variable in automatically */ +/* The parser fills these variable in automatically */ #define PROFILE_NAME_VARIABLE "profile_name" - +#define PROFILE_ATTACH_VAR "attach_path" +#define PROFILE_EXEC_VAR "exec_path" /* from parser_common.c */ extern uint32_t policy_version; @@ -395,6 +396,7 @@ extern const char *basedir; #define glob_default 0 #define glob_null 1 +const char *local_name(const char *name); extern pattern_t convert_aaregex_to_pcre(const char *aare, int anchor, int glob, std::string& pcre, int *first_re_pos); extern bool build_list_val_expr(std::string& buffer, struct value_list *list); diff --git a/parser/parser_variable.c b/parser/parser_variable.c index c04e2a11a..a920ce7f1 100644 --- a/parser/parser_variable.c +++ b/parser/parser_variable.c @@ -295,8 +295,22 @@ static int process_variables_in_name(Profile &prof) * setup */ int error = expand_entry_variables(&prof.name); - if (!error && prof.attachment) - error = expand_entry_variables(&prof.attachment); + if (!error) { + if (prof.attachment) + error = expand_entry_variables(&prof.attachment); + else if (prof.name[0] == '/') { + /* had to wait to do this until after processing the + * variables in the profile name + */ + prof.attachment = strdup(local_name(prof.name)); + if (!prof.attachment) { + errno = ENOMEM; + return -1; + } + filter_slashes(prof.attachment); + } + } + if (!error && prof.flags.disconnected_path) error = process_variable_in_attach_disconnected(&prof.flags.disconnected_path); if (!error && prof.flags.disconnected_ipc) @@ -331,23 +345,59 @@ int process_profile_variables(Profile *prof) */ error = process_variables_in_name(*prof); - if (!error) { - /* escape profile name elements that could be interpreted - * as regular expressions. + if (error) + goto out; + + /* escape profile name elements that could be interpreted as + * regular expressions. + */ + error = new_set_var(PROFILE_NAME_VARIABLE, escape_re(prof->get_name(false)).c_str()); + if (error) + goto out; + + if (prof->attachment) { + /* IF we didn't want a path based profile name to generate + * an attachment. The code could be moved here. Add the + * output fed into the vars directly instead of setting + * the attachment. */ - error = new_set_var(PROFILE_NAME_VARIABLE, escape_re(prof->get_name(false)).c_str()); + /* need to take into account alias, but not yet */ + error = new_set_var(PROFILE_ATTACH_VAR, prof->attachment); + if (error) + goto cleanup_name; + /* update to use kernel vars if available */ + error = new_set_var(PROFILE_EXEC_VAR, prof->attachment); + if (error) + goto cleanup_attach; } - if (!error) - error = process_variables_in_entries(prof->entries); - - if (!error) - error = process_variables_in_rules(*prof); + error = process_variables_in_entries(prof->entries); + if (error) + goto cleanup; + error = process_variables_in_rules(*prof); +cleanup: + /* ideally these variables would be local scoped and we would not + * have to clean them up here, but unfortunately variables + * don't support that yet. + */ + if (prof->attachment) { + rc = delete_set_var(PROFILE_EXEC_VAR); + if (!error) + error = rc; + } +cleanup_attach: + if (prof->attachment) { + rc = delete_set_var(PROFILE_ATTACH_VAR); + if (!error) + error = rc; + } +cleanup_name: rc = delete_set_var(PROFILE_NAME_VARIABLE); if (!error) error = rc; +out: return error; } diff --git a/parser/tst/equality.sh b/parser/tst/equality.sh index f0b90379b..333284f1d 100755 --- a/parser/tst/equality.sh +++ b/parser/tst/equality.sh @@ -971,6 +971,144 @@ verify_binary_equality "'$p1'x'$p2' dbus slash filtering for paths" \ #### end of wrapper fn } +test_parser_variables() +{ + ######## @{profile_name} ####### + verify_binary_equality "@{profile_name} expands correctly" \ + "/t { @{profile_name} r, }" \ + "/t { /t r, }" + + verify_binary_equality "@{profile_name} expands correcly - filter /" \ + "/t { /r/@{profile_name} r, }" \ + "/t { /r/t r, }" + + verify_binary_equality "@{profile_name} expands correcly - add globbing" \ + "/t { @{profile_name}/** r, }" \ + "/t { /t/** r, }" + + #re expression are escaped in profile names so /t/* becomes /t/\* + verify_binary_inequality "@{profile_name} w/pat expands correctly" \ + "/t/* { @{profile_name} r, }" \ + "/t/* { /t/* r, }" + + verify_binary_equality "@{profile_name} w/pat expands correctly" \ + "/t/* { @{profile_name} r, }" \ + "/t/* { /t/\* r, }" + + verify_binary_inequality "@{profile_name} w/pat expands correcly - filter /" \ + "/t/* { @{profile_name} r, }" \ + "/t/* { /t/* r, }" + + verify_binary_equality "@{profile_name} w/pat expands correcly - filter /" \ + "/t/* { @{profile_name}/a r, }" \ + "/t/* { /t/\*/a r, }" + + verify_binary_inequality "@{profile_name} w/pat expands correcly - add globbing" \ + "/t/* { @{profile_name}/** r, }" \ + "/t/* { /t/*/** r, }" + + verify_binary_equality "@{profile_name} w/pat expands correcly - add globbing" \ + "/t/** { @{profile_name}/** r, }" \ + "/t/** { /t/\*\*/** r, }" + + ######## @{attach_path} ####### + verify_binary_equality "@{attach_path} expands correctly" \ + "/t { @{attach_path} r, }" \ + "/t { /t r, }" + + verify_binary_equality "@{attach_path} expands correcly - filter /" \ + "/t { /r/@{attach_path} r, }" \ + "/t { /r/t r, }" + + verify_binary_equality "@{attach_path} expands correcly - add globbing" \ + "/t { @{attach_path}/** r, }" \ + "/t { /t/** r, }" + + verify_binary_equality "@{attach_path} w/pat expands correctly" \ + "/t/* { @{attach_path} r, }" \ + "/t/* { /t/* r, }" + + verify_binary_equality "@{attach_path} w/pat expands correcly - filter /" \ + "/t/* { @{attach_path} r, }" \ + "/t/* { /t/* r, }" + + verify_binary_equality "@{attach_path} w/pat expands correcly - add globbing" \ + "/t/* { @{attach_path}/** r, }" \ + "/t/* { /t/*/** r, }" + + verify_binary_equality "@{attach_path} w/attachment expands correctly" \ + "profile a /t { @{attach_path} r, }" \ + "profile a /t { /t r, }" + + verify_binary_equality "@{attach_path} w/attachment expands correcly - filter /" \ + "profile a /t { /r/@{attach_path} r, }" \ + "profile a /t { /r/t r, }" + + verify_binary_equality "@{attach_path} w/attachment expands correcly - add globbing" \ + "profile a /t { @{attach_path}/** r, }" \ + "profile a /t { /t/** r, }" + + verify_binary_equality "@{attach_path} w/attachment w/pat expands correctly" \ + "profile a /t/* { @{attach_path} r, }" \ + "profile a /t/* { /t/* r, }" + + verify_binary_equality "@{attach_path} w/attachment w/pat expands correcly - filter /" \ + "profile a /t/* { @{attach_path} r, }" \ + "profile a /t/* { /t/* r, }" + + verify_binary_equality "@{attach_path} w/attachment w/pat expands correcly - add globbing" \ + "profile a /t/* { @{attach_path}/** r, }" \ + "profile a /t/* { /t/*/** r, }" + + ######## @{exec_path} ####### + verify_binary_equality "@{exec_path} expands correctly" \ + "/t { @{exec_path} r, }" \ + "/t { /t r, }" + + verify_binary_equality "@{exec_path} expands correcly - filter /" \ + "/t { /r/@{exec_path} r, }" \ + "/t { /r/t r, }" + + verify_binary_equality "@{exec_path} expands correcly - add globbing" \ + "/t { @{exec_path}/** r, }" \ + "/t { /t/** r, }" + + verify_binary_equality "@{exec_path} w/pat expands correctly" \ + "/t/* { @{exec_path} r, }" \ + "/t/* { /t/* r, }" + + verify_binary_equality "@{exec_path} w/pat expands correcly - filter /" \ + "/t/* { @{exec_path} r, }" \ + "/t/* { /t/* r, }" + + verify_binary_equality "@{exec_path} w/pat expands correcly - add globbing" \ + "/t/* { @{exec_path}/** r, }" \ + "/t/* { /t/*/** r, }" + + verify_binary_equality "@{exec_path} w/attachment expands correctly" \ + "profile a /t { @{exec_path} r, }" \ + "profile a /t { /t r, }" + + verify_binary_equality "@{exec_path} w/attachment expands correcly - filter /" \ + "profile a /t { /r/@{exec_path} r, }" \ + "profile a /t { /r/t r, }" + + verify_binary_equality "@{exec_path} w/attachment expands correcly - add globbing" \ + "profile a /t { @{exec_path}/** r, }" \ + "profile a /t { /t/** r, }" + + verify_binary_equality "@{exec_path} w/attachment w/pat expands correctly" \ + "profile a /t/* { @{exec_path} r, }" \ + "profile a /t/* { /t/* r, }" + + verify_binary_equality "@{exec_path} w/attachment w/pat expands correcly - filter /" \ + "profile a /t/* { @{exec_path} r, }" \ + "profile a /t/* { /t/* r, }" + + verify_binary_equality "@{exec_path} w/attachment w/pat expands correcly - add globbing" \ + "profile a /t/* { @{exec_path}/** r, }" \ + "profile a /t/* { /t/*/** r, }" +} run_tests() { @@ -1082,6 +1220,8 @@ run_tests() "@{BAR}=bin/ \#value /t { /@{BAR} r, }" + test_parser_variables + # verify combinations of different priority levels # for single rule comparisons, rules should keep same expected result # even when the priorities are different. diff --git a/parser/tst/minimize.sh b/parser/tst/minimize.sh index 8b3c4850c..82f6a2721 100755 --- a/parser/tst/minimize.sh +++ b/parser/tst/minimize.sh @@ -78,7 +78,7 @@ APPARMOR_PARSER="${APPARMOR_PARSER:-../apparmor_parser}" # {a} (0x 40030/0/0/0) echo -n "Minimize profiles basic perms " -if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then +if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then echo "failed" exit 1; fi @@ -93,7 +93,7 @@ echo "ok" # {9} (0x 12804a/0/2800a/0) # {c} (0x 40030/0/0/0) echo -n "Minimize profiles audit perms " -if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then +if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, audit /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then echo "failed" exit 1; fi @@ -112,7 +112,7 @@ echo "ok" # {c} (0x 40030/0/0/0) echo -n "Minimize profiles deny perms " -if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then +if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then echo "failed" exit 1; fi @@ -130,7 +130,7 @@ echo "ok" # {c} (0x 40030/0/0/0) echo -n "Minimize profiles audit deny perms " -if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 5 ] ; then +if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 5 ] ; then echo "failed" exit 1; fi @@ -155,7 +155,7 @@ echo "ok" ## NOTE: change count from 6 to 7 when extend perms is not dependent on ## prompt rules being present echo -n "Minimize profiles extended no-filter audit deny perms " -if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 7 ] ; then +if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 7 ] ; then echo "failed" exit 1; fi @@ -173,7 +173,7 @@ echo "ok" # {2} (0x 4/0//0/0/0) <- from policydb still showing up bug echo -n "Minimize profiles extended filter audit deny perms " -if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then +if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then echo "failed" exit 1; fi @@ -208,7 +208,7 @@ echo "ok" # echo -n "Minimize profiles xtrans " -if [ "$(echo "/t { /b px, /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then +if [ "$(echo "profile t { /b px, /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then echo "failed" exit 1; fi @@ -216,7 +216,7 @@ echo "ok" # same test as above + audit echo -n "Minimize profiles audit xtrans " -if [ "$(echo "/t { /b px, audit /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then +if [ "$(echo "profile t { /b px, audit /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then echo "failed" exit 1; fi @@ -229,7 +229,7 @@ echo "ok" # {3} (0x 0/fe17f85/0/14005) echo -n "Minimize profiles deny xtrans " -if [ "$(echo "/t { /b px, deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 1 ] ; then +if [ "$(echo "profile t { /b px, deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 1 ] ; then echo "failed" exit 1; fi @@ -241,7 +241,7 @@ echo "ok" # {3} (0x 0/fe17f85/0/0) echo -n "Minimize profiles audit deny xtrans " -if [ "$(echo "/t { /b px, audit deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 0 ] ; then +if [ "$(echo "profile t { /b px, audit deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 0 ] ; then echo "failed" exit 1; fi diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_01.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_01.sd new file mode 100644 index 000000000..0e248606c --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_01.sd @@ -0,0 +1,9 @@ +#=DESCRIPTION reference auto attach_path variable in rules +#=EXRESULT PASS + +profile /a/test/profile { + /a/test/profile rix, + + @{attach_path} rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_02.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_02.sd new file mode 100644 index 000000000..806e0bb2d --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_02.sd @@ -0,0 +1,9 @@ +#=DESCRIPTION reference auto atach_path variable in rules +#=EXRESULT PASS + +profile this_is_a_test /a/test/profile { + /a/test/profile rix, + + /run/@{attach_path}/tmp rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_03.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_03.sd new file mode 100644 index 000000000..c05addc61 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_03.sd @@ -0,0 +1,9 @@ +#=DESCRIPTION reference auto attach_path from profile +#=EXRESULT PASS + +/test/profile { + /test/profile rix, + + /run/@{attach_path}/tmp rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_05.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_05.sd new file mode 100644 index 000000000..f925c9c3f --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_05.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION reference auto attach_path variable in child +#=EXRESULT PASS + +# no attachment in parent +profile top_profile { + + profile spork /a/*/c { + @{attach_path}/** rw, + } +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_06.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_06.sd new file mode 100644 index 000000000..309a7d45d --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_06.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION reference auto attach_path variable in child +#=EXRESULT PASS + +# no attachment in parent +profile top_profile { + + profile /a/b/c { + @{attach_path}/** rw, + } +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_07.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_07.sd new file mode 100644 index 000000000..77dc87f57 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_07.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION reference auto attach_path variable in child +#=EXRESULT PASS + +# no attachment in parent +profile top_profile { + + profile /a/*/c { + @{attach_path}/** rw, + } +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_08.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_08.sd new file mode 100644 index 000000000..f1bac3b11 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_08.sd @@ -0,0 +1,20 @@ +#=DESCRIPTION ensure attach_path expansion after subprofiles works +#=EXRESULT PASS + +profile top_profile /test/profile { + + /first/path/@{attach_path}/tmp rwk, + + profile spork { + owner /tmp/* r, + /run/@{profile_name}/** rw, + } + + hat spelunkk { + owner /tmp/* r, + /run/@{profile_name}/** rw, + } + + # Does this expand properly? + /second/path/@{attach_path}/tmp rk, +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_1.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_1.sd new file mode 100644 index 000000000..9e8f2e512 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_1.sd @@ -0,0 +1,9 @@ +#=DESCRIPTION reference auto @{attach_path} variable in rules when not created +#=EXRESULT FAIL + +test/profile { + /a/test/profile rix, + + mr @{attach_path}, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_2.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_2.sd new file mode 100644 index 000000000..bbd9c7e12 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_2.sd @@ -0,0 +1,12 @@ +#=DESCRIPTION reference auto attach_path from profile +#=EXRESULT FAIL + +/test/profile { + /test/profile rix, + + # hat does not have an attachment and profile's attachment doesn't apply + ^spork { + owner /tmp/* r, + /spork/@{attach_path}/** rw, + } +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_3.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_3.sd new file mode 100644 index 000000000..dbe64510d --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_3.sd @@ -0,0 +1,16 @@ +#=DESCRIPTION ensure attach_path expansion after subprofiles works +#=EXRESULT FAIL + +profile top_profile /test/profile { + + /first/path/@{attach_path}/tmp rwk, + + # subprofile doesn't have attach_pathes + hat spelunkk { + owner /tmp/* r, + /run/@{attach_path}/** rw, + } + + # Does this expand properly? + /second/path/@{attach_path}/tmp rk, +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_4.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_4.sd new file mode 100644 index 000000000..bae584fda --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_4.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION reference auto attach_path variable collides with user defined +#=EXRESULT FAIL + +@{attach_path}=/BAD +profile /a/test/profile { + /a/test/profile rix, + + @{attach_path} rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_5.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_5.sd new file mode 100644 index 000000000..64faf18c9 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_5.sd @@ -0,0 +1,11 @@ +#=DESCRIPTION reference auto attach_path variable in rules w/hats +#=EXRESULT FAIL + +profile idf3s2A6GX8vrk /simple/profile { + /test/profile rix, + + ^test { + /run/@{attach_path}/tmp rwk, + } +} + diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_01.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_01.sd new file mode 100644 index 000000000..f20f78433 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_01.sd @@ -0,0 +1,9 @@ +#=DESCRIPTION reference auto exec_path variable in rules +#=EXRESULT PASS + +profile /a/test/profile { + /a/test/profile rix, + + @{exec_path} rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_02.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_02.sd new file mode 100644 index 000000000..5408e07bf --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_02.sd @@ -0,0 +1,9 @@ +#=DESCRIPTION reference auto exec_path variable in rules +#=EXRESULT PASS + +profile this_is_a_test /a/test/profile { + /a/test/profile rix, + + /run/@{exec_path}/tmp rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_03.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_03.sd new file mode 100644 index 000000000..0e0a7a365 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_03.sd @@ -0,0 +1,9 @@ +#=DESCRIPTION reference auto exec_path from profile +#=EXRESULT PASS + +/test/profile { + /test/profile rix, + + /run/@{exec_path}/tmp rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_05.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_05.sd new file mode 100644 index 000000000..69cc06b23 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_05.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION reference auto exec_path variable in child +#=EXRESULT PASS + +# no attachment in parent +profile top_profile { + + profile spork /a/*/c { + @{exec_path}/** rw, + } +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_06.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_06.sd new file mode 100644 index 000000000..d2c9f50a9 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_06.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION reference auto exec_path variable in child +#=EXRESULT PASS + +# no attachment in parent +profile top_profile { + + profile /a/b/c { + @{exec_path}/** rw, + } +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_07.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_07.sd new file mode 100644 index 000000000..f3b8bcceb --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_07.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION reference auto exec_path variable in child +#=EXRESULT PASS + +# no attachment in parent +profile top_profile { + + profile /a/*/c { + @{exec_path}/** rw, + } +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_08.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_08.sd new file mode 100644 index 000000000..cd9719b3d --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_08.sd @@ -0,0 +1,20 @@ +#=DESCRIPTION ensure exec_path expansion after subprofiles works +#=EXRESULT PASS + +profile top_profile /test/profile { + + /first/path/@{exec_path}/tmp rwk, + + profile spork { + owner /tmp/* r, + /run/@{profile_name}/** rw, + } + + hat spelunkk { + owner /tmp/* r, + /run/@{profile_name}/** rw, + } + + # Does this expand properly? + /second/path/@{exec_path}/tmp rk, +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_1.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_1.sd new file mode 100644 index 000000000..418140701 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_1.sd @@ -0,0 +1,9 @@ +#=DESCRIPTION reference auto @{exec_path} variable in rules when not created +#=EXRESULT FAIL + +test/profile { + /a/test/profile rix, + + mr @{exec_path}, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_2.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_2.sd new file mode 100644 index 000000000..311febd5c --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_2.sd @@ -0,0 +1,12 @@ +#=DESCRIPTION reference auto exec_path from profile +#=EXRESULT FAIL + +/test/profile { + /test/profile rix, + + # hat does not have an attachment and profile's attachment doesn't apply + ^spork { + owner /tmp/* r, + /spork/@{exec_path}/** rw, + } +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_3.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_3.sd new file mode 100644 index 000000000..5b5778798 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_3.sd @@ -0,0 +1,16 @@ +#=DESCRIPTION ensure exec_path expansion after subprofiles works +#=EXRESULT FAIL + +profile top_profile /test/profile { + + /first/path/@{exec_path}/tmp rwk, + + # subprofile doesn't have exec_pathes + hat spelunkk { + owner /tmp/* r, + /run/@{exec_path}/** rw, + } + + # Does this expand properly? + /second/path/@{exec_path}/tmp rk, +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_4.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_4.sd new file mode 100644 index 000000000..c83653004 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_4.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION reference auto exec_path variable collides with user defined +#=EXRESULT FAIL + +@{exec_path}=/BAD +profile /a/test/profile { + /a/test/profile rix, + + @{exec_path} rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_5.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_5.sd new file mode 100644 index 000000000..d5ea19841 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_5.sd @@ -0,0 +1,11 @@ +#=DESCRIPTION reference auto exec_path variable in rules w/hats +#=EXRESULT FAIL + +profile idf3s2A6GX8vrk /simple/profile { + /test/profile rix, + + ^test { + /run/@{exec_path}/tmp rwk, + } +} +